Protecting Your Business from Cyber-Attacks

So, you’re a business owner. You have a crack team of people working towards a common goal. Things are going as they should be.

Then, out of the blue – disaster strikes. You’ve been hacked by a cyber-criminal and the data you have (perfectly legally) accessed, stored and used is at their mercy.

The attack, which has left you helpless, could have been prevented. Or, at least, the fallout could have been mitigated with a robust cyber-security strategy. Yes, you may have installed a free version of some threat detection system or other secure software but just how effective is your plan to repel the online thieves?

Your security requires constant updating if you’re to stay a step ahead of those looking to break through your defences. The threat is real, the consequences dire.

Let’s get into the numbers, first of all. The government’s Cyber Security Breaches Survey reveals that 43% of businesses (and three in 10 charity organisations) reported a cyber-security breach or attack in a 12-month period. That means more than 600,000 businesses have been targeted. Marks and Spencer and the Co-op each had to suspend their online services this year after their systems were breached.

Harrods was also targeted earlier this year and, although their IT team acted quickly to secure their systems, it came at the expense of customers’ ability to access the online store, which had it capabilities significantly reduced.

Away from the retail sector, the Legal Aid Agency’s data was accessed by cyber-criminals in April. The hackers claimed to have extracted more than two million pieces of data, dating back to 2010. That breach potentially affected hundreds of thousands of people whose personally identifiable information was held by the agency. That’s a huge identity theft and fraud risk for a substantial number of legal aid applicants. The agency is in the process of establishing a new portal for users, but it isn’t yet fully operational.

If it’s good news you’ve come here for, there is a slight reduction on the 2024 figures (around 718,000, or half of all businesses) but the experts put that down to fewer small and micro businesses identifying when they have been hit with a phishing attack. Breaches and attacks on medium and large companies is relatively similar to last year – the number of medium businesses hit saw a slight increase to 70% while the number of affected large businesses went down 1% to 74%.

It’s clear that cyber-crime poses a serious, widespread and ongoing threat. The estimated cost to businesses around the world could run to trillions. Attacks are often complex, certainly malicious and harmful to businesses in a variety of ways. It’s vital that your cyber-security systems are constantly updated to keep up with the dangers posed by an ever-evolving landscape.

The most common threat are programs created specifically to disable a company’s systems – malicious software, or malware for short. These can take many forms, such as viruses, worms or Trojan horses. A specific form of malware is also worryingly prevalent – ransomware. As the name suggests, the victim is held to ransom, as the malware prevents a business from accessing its vital files until the cyber-thieves’ demands are met. Generally, the bigger the company, the larger amount the ransomware creators are likely to want. While the total number of cyber-attacks dipped slightly between last year and this, ransomware incidents have risen. An estimated 1% of UK businesses – around 19,000 – are expected to be impacted by ransomware this year.

Not wholly dissimilar to ransomware attacks – in the sense of disrupting a firm’s legitimate operations – are denial-of-service attacks. The aim here is to disable a company’s network by overwhelming its capabilities with excessive traffic or resource requests.

But not all data breaches are down to hackers’ cyber-skills. Phishing is also a major cause of attacks, using deception rather than online expertise to trick users in disclosing information such as passwords and bank details.

Phishing attacks aside, cyber-threats are evolving all the time, becoming more sophisticated all the while. A company’s precious data is sensitive and requires effective protection systems and protocols. Virtually any business stores customer information, financial details and records – data that a cyber-criminal loves getting his or her hands on.

A data breach not only puts at risk those whose data is compromised, it can be a major disruption to a company’s day-to-day activity. That downtime costs money, one way or another, so effective action plans should be in place – firstly, to repel an attempt to hack the system, but secondly what course of action to take in the event of a breach. Privacy concerns are at the heart of everyone’s worries about conducting so much of their lives – business and personal – online. And if they aren’t, they should be.

Many firms, in all manner of sectors, rely on repeat business. This, of course, relies on the establishing, and maintenance, of a trusting relationship between company and customer. Any customer concerned that their data isn’t safe with those they’re giving their custom to isn’t likely to stick around for too long.

What strategy should a business – any business, regardless of its size – employ to deter hackers then?

Firstly, your security policies should contain detailed procedures for handling confidential information, how to recognise and report suspicious activity and how to react to a cyber-attack. Ensure your staff is cyber-threat savvy and provide a ‘first line of defence’ against hackers. Instil best practices regarding the identification of phishing attacks and keeping your systems secure.

In order to give yourself and your company the best chance of repelling cyber-thieves you should always:

Ensure all users have strong and unique passwords – Any staff member using Password1 or Welcome1 is in dire need of some cyber-security training – and quick. Have a complex mix of upper- and lower-case letters, numbers and symbols and don’t use the same password across different accounts and applications.
Have multi-factor authentication enabled – Using another method in addition to passwords provides extra protection. These can take the form of a code received via text or the use of a bespoke authentication app and can be vital in instances of compromised passwords.
Lock unattended devices – It doesn’t take long for an unlocked computer to become a massive liability, so even if your team member is stepping away for a minute or two they should always secure their device. Have an automatic screen lock set up too, just in case.
Avoid public Wi-Fi networks without encrypting your data – Public connections may be convenient but without a virtual private network (VPN) you’re at risk of the data transmitted being intercepted.
Be wary of sharing – Keep what work-related information you share on social media to a minimum. Hackers won’t think twice about using whatever information they can get their hands on to get more, or guess their way through security measures. Knowledge is power, remember?
SLAM the door on phishing emails – If you receive communications that make you suspicious, you’re probably right to be. Examine an unsolicited or otherwise-dodgy email using the SLAM method:
Sender: verify that the address where the email originates is legitimate.
Links: Hover over a link to reveal the URL before clicking on it.
Attachments: Don’t open random attachments – this is especially true of executable files.
Message: Fake and unwarranted urgency embedded in the text (which often contains lousy grammar and requests for further or sensitive information) is usually a dead giveaway.
Report suspicious activity ASAP – A staff member who notices something – anything – out of the ordinary should be vigilant and report it to the good folk in IT. This could be an unusual email, a drop in system speeds…anything that shouldn’t be happening. Catching an attack early greatly improves the chances of preventing it escalating.
Use proper disposal methods – This applies to digital and physical information of a sensitive or confidential nature. Shred hard copies of documents that you don’t want falling into the wrong hands and perform a thorough wipe of information from devices. A sanitised device is a safe device.
Apply stringent controls to ALL devices – if your staff use their own equipment for work purposes, ensure that the cyber-security protections apply to personal devices too. Employ practices that separate work and personal activities, including ensuring that no company and/or sensitive data is stored on unauthorised equipment or cloud services.
Keep abreast of the latest updates – You must regularly run updates to keep up with trends in the cyber-criminal community. Malware versions and phishing techniques continue to evolve, so your protection has to as well.

It’s clear that the dire problem of cyber-thieves isn’t going away. Unfortunately, not all companies have stringent controls and security protocols in place. That’s a real issue for those whose personal information is at risk.

If you believe your data has been accessed by those without legitimate reason, it’s time to take action. Contact a member of our data breach team and see what help they can give you as you seek compensation.